Feds propose security standards

SAN FRANCISCO'Everyone had a different take on standards-based security at the recent RSA Conference 2004. Advocates touted three proposed security standards and a handful of technical specifications.

The Energy Department this spring will launch a Security Incident Response Portal as a prototype of a new standard nomenclature for Web application vulnerabilities.

Energy and the Organization for the Advancement of Structured Information Standards are promoting the Application Vulnerability Description Language, or AVDL, an Extensible Markup Language schema for sharing data among multivendor security products. Its developers called it an alternative to the labor-intensive job of eyeballing and rewriting scores of text alerts.

'We're just starting to evangelize it,' said John Dias, senior security analyst at Energy's Computer Incident Advisory Capability. 'CIAC scours the Internet for vulnerability information. We're real good at it, but we're being overwhelmed.'

The XML-enabled Security Incident Response Portal, at CIAC in Livermore, Calif., will listen for AVDL alerts, process them and automatically pass them on to users.

The federal Interagency Security Committee also is working to integrate physical and IT security by focusing on smart cards rather than Subscriber Identity Module cards.

'In the future, all federal buildings are going to have to build in an infrastructure for smart cards,' said Keith T. Hughes of the Homeland Security Department's Federal Protective Service, who heads the committee.

Hughes said it would take three to five years to incorporate such requirements into building plans. But a number of agencies, including the General Services Administration and the Bureau of Land Management, already use the technology for their facilities.

Common credential

Another federal group, the ID Credentialing Committee, is working on criteria for a common credential useful across the federal government.

'We are going to end the proliferation of stovepipes,' said Judith Spencer, who heads the committee. She said it builds on the experience of the Federal Bridge Certification Authority, which cross-certifies some agencies' digital certificates. The bridge would play a role in the common federal ID, but each agency would issue its own credentials and set access policies.

'We will get the infrastructure in place,' Spencer said. 'It will be up to the agencies to determine how far they take the infrastructure.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.